Guest / Non-Guest Network with Separate DHCP and Firewall Rules?

fvultee · Mar 15, 2019, 9:10 PM

Strange question here. I have a Router that has both normal and guest network. I have the pfSense configured to hand out IPs via DHCP to authorized MACs. Is there a way to have another subnet for the Guest Wifi that are issued IPs via DHCP that are NOT in the authorized MAC list be given an IP and use their own firewall rules (IE no contact with the MAC authorized devices). I know I can do this with a more powerful system since I've seen it done, but I just have a normal soho mesh wifi system running in AP mode and let the pfSense run the DHCP service.

JKnott · Mar 16, 2019, 1:28 AM

The usual way to have guest WiFi is to use a 2nd SSID and VLAN. Then set up the appropriate rules for the guest network. However, with the DHCP server, you can map authorized devices to specific addresses, which don't overlap the DHCP addresses for other devices. You can try filtering on the separate ranges. For example, have the mapped devices in the lower half of the subnet address range and the other devices in the upper half.

fvultee · Mar 16, 2019, 2:51 PM

I did exactly that, the issue is that if I only allow certain MACs on my primary LAN and want to assign the Guests to the VLAN I have configured, I don't know their MACs in advance, so I'm not sure how to associate them with the VLAN automatically and have them use the VLAN rules instead.

JKnott · Mar 16, 2019, 6:50 PM

You didn't initially say you had a VLAN. However, why do you have to worry about the MACs? Just given them the SSID & password for the guest Wifi. That way they'll be on the guest VLAN and pfSense should keep them off the local LAN. No need to worry about the MAC as those users are already segregated.

fvultee · Mar 16, 2019, 7:38 PM

I’m clearly not explaining myself well, but to clarify I don’t have a pfSense install that has its own WiFi support. The pfSense is running the DHCP server to issue IPs to devices that connect to a soho WiFi AP. I am not clear how to have unknown devices grab an IP from the VLAN and the known devices to grab fixed IPs for normal LAN access. Ugh I’m sure it’s easy, just not getting the last step. I’m pretty sure you can’t have 2 DHCP servers on the same subnet so my original config didn’t work correctly.

JKnott · Mar 16, 2019, 8:39 PM

When you create a VLAN, you can also configure the DHCP server to provide addresses to it. The address block must be different from the main LAN. You then configure the AP for the VLAN & 2nd SSID. When guests connect to the guest Wifi, they are connected to the VLAN and get a DHCP address from the VLAN range. I assume the AP supports multiple SSIDs and VLANs.

fvultee · Mar 17, 2019, 1:03 AM

Nope, my Netgear Orbi mesh WiFi system dos not support VLANs natively, that’s why I’ve been trying to figure out a workaround with the pfSense. I was thinking that I could also just block the guest dhcp IPs from bing able to talk to my other devices by making a block rule but that didn’t work either.

JKnott · Mar 17, 2019, 1:33 AM

@fvultee said in Guest / Non-Guest Network with Separate DHCP and Firewall Rules?:

Nope, my Netgear Orbi mesh WiFi system dos not support VLANs natively, that’s why I’ve been trying to figure out a workaround with the pfSense. I was thinking that I could also just block the guest dhcp IPs from bing able to talk to my other devices by making a block rule but that didn’t work either.

I just noticed something I missed before:

(IE no contact with the MAC authorized devices)

PfSense cannot do that, as it has absolutely no effect on traffic between devices on the same subnet. PfSense is a router which means it only affects traffic that passes through it. The only way to prevent guest devices from contacting "authorized" devices is with separate SSID and VLAN.